Messaging systems are a critical application for the Internet, but systems like Internet email based on the SMTP protocol are beset by many problems such as abuse of access control for email in-bins (SPAM), authentication (phishing and other types of fraud), confidentiality (where end-to-end encryption is still a challenge), and reliability. Important application areas such as the medical and financial sectors have turned to other mechanisms. For example, the Centers for Disease Control and Prevention (CDC) standards for messaging envision an architecture in which communications are based on web services, an emerging XML-based foundation for distributed computing. Financial entities like banks and mutual funds have developed techniques where back-end server systems implement their own secure messaging while users are notified of messages by SMTP and use browsers to access messages. This architecture has emerged as a widespread ad hoc work-around to achieve a practical solution but without the deeper analyses (especially for security) for ensuring its rigorous foundations.
This project will develop new architectures and strategies for secure messaging systems based on attribute-based security and messaging. In this approach, attributes of principals are the primary foundation for access control, routing, and security transformations. Attribute-Based Access Control promises greater flexibility and integration than access control lists and roles. Attribute-Based Messaging makes messaging more dynamic and targeted. Attribute-Based Encryption allows only the principals with specified attributes to decrypt messages. The project will advance these three attribute-based techniques and assess their effectiveness in a web-services application.